Slashdot Mirror
Extortion Virus Code Cracked
Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
I was just looking for that. Thanks!
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Odd how that "30 digit password" has 38 characters, 13 of which are digits.
Don't blame me; I'm never given mod points.
We are all now victims of a DMCA lawsuit!
Get your Unix fortune now!
These days even the virus authors don't know anything about writing secure software :(
That's the combination to my luggage!
"A REAL computer has ONE speed and the only powersaving it permits is when you pull the power leads out of the back!"
Next time it will be a virus writer who knows about public key cryptography, and then you'll just have to pony up the dough... (or you could stop getting your computer infected with malware in the first place.)
Hmm...
It also works for new Windows XP Professional installs.
Strange.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
seriously my next guess
Hasn't this been around for a while? According to this page, the password has been know for at least a month.
It's not even "by the way" at all. It follows directly from the previous sentence, and is perfectly ontopic. Get your act together.
you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that? I wonder if this will now work like it should in the perfect open source community though, a bug is found, someone patches it, the new stuff is available within the day, maybe even better than before?
*''I can't believe it's not a hyperlink.''
""apparently the virus writer made one small, critical error in coding: placing the password in the code""
Well, now they won't make that mistake again.
sometimes, leaving someting out, [ Like how they screwed up ] may make the rest of us a little safer.
And changing the virus's password is how hard again?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
heh, is this strings to the rescue?
:)
one of the best programs evar
sad robot making broken music
If you are still betting on antivirus companies to keep you safe, you should consider this a warning. There is no technical reason why the password should be recoverable. Had the author used strong public key cryptography instead of a symmetric cypher, there would be no way to get the key without the help of the virus author. The only way to be safe is to not get infected and that means you have to use your brain.
If it's the same password for every infection, wouldn't it be likely that the first victim who actually paid for it would then release it to the wild to screw-over the extortionist ASAP?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The most interesting part of TFA: "Victims are only told the password if they buy drugs from one of three online pharmacies."
Are online pharmacies so unregulated that criminals can extort people as a means for advertising?
Wow.
placing the password in the code
How else are you supposed to do it? Or did TFA mean that it was stored in plaintext in the code?
Your hair look like poop, Bob! - Wanker.
Strike anyone else as odd that the BBC (et al.) ran this story big time - made the world service - on the same day that Microsoft announced their all in one security suite, that, by coincidence, protects against such virus'?
1) Write ransom virus ....
2) Release
3)
4) Profit!
Wait - that actually works I think
I thought it was a good idea
Even if the virus writer had used public/private key encryption, once the key was given to one victim after the ransom was paid, the key would almost definately be all over the net.
If he had used a different key-pair per infected user, then everytime the virus was infecting a new machine it would have to contact the source to save the new key-pair and a marker to identify the machine it had just infected, to be able to associate the right key-pair with the victim. This by itself is not a great idea because the source could then be identified by the cops and action could be taken.
As far as the the mode of paying the ransom is concerned I wonder which these parmacy sites are and why action cannot be taken against them.
How can this possibly be fool-proof?
-1 "WHERE YOU BEEN?"
he's just realized that Windows is the front end of a racket?
[full disclosure - posted from a cube on an XP install running Office+Publisher+Visio+Project]
[[will testify after placement in witness protection]]
+1 fashionably cynical
Does anyone know how I can put in this password using the archive utility built in to OS X? Oh, wait! I don't have the virus! I'm running OS X!
You're wrong. You can cypher it with the public key and it can't be recovered without the private key, which is safe at his computer.
The virus writers could have used a GPL-based crypt library, but realized that there would be legal issues involved, requiring them to open-source the whole virus.
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
today's Sesame Street program has been brought to you by:
mf2lro8sw03ufvnsq034jfowr18f3cszc20vm and w
Confucius say: "Man who associates with smarter men than himself is smarter than the men he associates with."
Wow, I can see it now. New user clicks on "check email", sees "I Love You!" and clicks on the attachment. A popup window with a gun pointing out the screen appears and the message: "Alright buddy, this is a stickup - Type your bank account password in the field below and click 'submit' or everything in My Documents gets deleted!! I'm not kidding!!! Do it NOW!!!!"
try { do() || do_not(); } catch (JediException err) { yoda(err); }
And probably /. readers have been posting this for about a month, and getting it rejected by the wonderful /. editors.
Has this guy been arrested? It shouldn't have taken a genius law enforcement officer to make a payment for this and track it and then pick the guy up?
don't forget! ... and change the combination on my luggage!
President Skroob:
Technically, I would say this virus is encrypted, so wouldn't broadcasting a way to "crack" the virus on slashdot be a violation of the DMCA?
There seems to be one glaring problem with the idea of ransomware:
Eventually you're gonna piss off the wrong person.
Imagine the DoD or the CIA getting hit with this. They lookup the registar of the sites you are supposed to buy the drugs from. They then go visit that registar's main office (borders, what borders? we're the CIA, we've never paid attention to soviernty in the past.). They politely ask the registar to hand over all information on the person paying for the domain name (for the definition of polite which involves pointing guns at and kicking people in the head). Once they know who is paying for the web sites (credit info/check info), they visit that person and politely ask for the password to unlock the virus (same definition of polite).
If it's the DoD which gets hit, replace CIA with a Navy SEAL team.
Necessity is the mother of invention.
Laziness is the father.
I am pretty sure that 'mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw' is a registry key for 'My Documents'. It had to be encrypted for 2 reasons:
1) Only you and MS can open 'My Documents'
2) They haven't yet worked out how to really have spaces in file names lusers use. [cue: spinning hour glass]
How'd that guy find out my root password!?
Creative misinterpretation is your friend.
b3 g1ad h3 wa$n'7 l33t 0r u'd b3 p0wn3d sux0r!
Could antivirus software's realtime protection work against this virus as well?
It could stop activity such as batch file manipulations as they occur, and prompt the user whether or not (s)he wants the action to continue. It would be similar to the "Worm Activity" warning I get from McAfee when I send emails using a distrubution list with a large number of people on it--McAfee AV stops the mail from sending until I explicitly allow it. Thus, the AV protection for this extortion virus could stop mass file manipulations until explicit consent is given.
I decided to stop stealing cynical quotes to use as a signature line.
Using a string constant to hold an encryption key is pretty common among programmers new to encryption. It doesn't occur to them that someone is going to look at the string table and spot the key. A simple way to raise the bar is to construct the key on execution. The key can still be determined but it takes a lot more work.
This may be a little off-topic, but,...
How many of you out there actually save your stuff in the "My Documents" folder?
I throw all my stuff out to a network share.
S-
Scammer hires people with the prospect of letting them have some of the money to transfer. Of course not under the premise that it's laundering. They'll claim that they're some international company and need a money representative in the country.
Their "job" would be to have money transfered to their account and then send it via Western Union.
Now follow it if you can. Yes, you'll get the guy who has been hired (or con'ed, your choice) to have his account used in the laundering. But you won't catch the actual person you want to get.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Did anyone ever tell you that a joke isn't funny when you're hearing it for the 800th time? Moron.
Anyone used google before? Results 1 - 10 of about 76 for mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. (0.10 seconds) Word's been out forever
Um diddle diddle diddle um diddle ayw !w !
Um diddle diddle diddle um diddle ay
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
Even though the sound of it Is something quite atrocious
If you say it loud enough
You'll always sound precocious
mf2lro8sw03ufvnsq034jfowr18f3cszc20vm
Um diddle diddle diddle um diddle ay
Um diddle diddle diddle um diddle ay
Because I was afraid to speak
When I was just a lad My father gave me nose a tweak And told me I was bad
But then one day I learned a word That saved me aching nose
The biggest word I ever heard And this is how it goes:
Oh, mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
Even though the sound of it
Is something quite atrocious
If you say it loud enough
You'll always sound precocious
mf2lro8sw03ufvnsq034jfowr18f3cszc20vm
-- @rjamestaylor on Ello
Douglas Adams made one....
"What do you get when you multiply six by nine?" "Forty-two".
Work it out in base 13.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
It's the most remarkable word I've ever seen!
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
I wish I knew exactly what I mean!
It starts out like an M word as anyone can see,
But somewhere in the middle it gets awful 4J to me!
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
If I ever find out just what this word can mean,
I'll be the smartest bird the world has ever seen!
Surely you know better than to have it so easily guessable?
You're wrong. You can cypher it with the public key and it can't be recovered without the private key, which is safe at his computer.
The system you've described is not [internally] closed - it requires interaction with an external agent [which, in theory, at least, means that the FBI/NSA can track the transaction and find the bad guy].
Ideally, though, you would want this sort of thing to be closed [with the encryption & decryption entirely internal to the system itself].
Now I'm not an expert in encryption [really hardly even a novice], but it's always seemed to me that there must be some meta-theorem in encryption theory which states that this is impossible - that an encrypted system which is capable of de-encrypting itself is necessarily capable of being de-encrypted by a third party [with sufficient time and money on its hands].
But is that true? Has such a meta-theorem been stated and proved?
one small, critical error in coding ?
That sounds like a monumental mistake, not a single small mistake, what are they on?
Obviously this guy is a noob. First of all, as was mentioned by others, why would he bother to decrypt thier files? I mean, it's like the, "you first, no you, no you" thing you did as kids. If I personally was going to do something illeagal like this, I would just delete the files then create a randomly filed file to pose as the data I encrypted. Secondly, if he was just trying to be a nice guy and really needed some money, then yeah he should have come up with a different scheme...I mean one persons pays up and posts the key on /. and everyone has the key. Wow, every time I read something like this I just want to smack someone... >:|
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. ~Albert Einstein
Isn't Slashdot implicitly breaking the DMCA by posting this crack? That would be a real unintended consequence of the law if crooks could use it to protect their activities.
-------- -------- Support Wesley Clark for president!!!
That 30 digit code is the same as the version number of IE installed on my machine.
Had to be said, karma be damned
Interested in a Flash-based MAME front end? Visit mame.danzbb.com
(for exceptionally high values of 30.)
The article had an air of truthiness about it...
But then this story on slashdot tipped the guy off so he didn't go collect his payment. Way to go, slashdot! This is almost as bad as the time the CIA had a mole really close to bin Laden until slashdot exposed him.
How can you, as a virus author, get paid without blowing your cover?
Swedish plasma phys. PhD student; MSc EE; knows maths, programming, electronics; finance interest; seeks opportunities
There is a major flaw with the whole ransomware idea and it is that they are actually the most benign kind of virus. They just encrypt your files instead of deleting it? If someone's information is important enough to be worth paying for recovering it should already have a backup copy.
Then the real problem problem for the hacker is getting the money without losing his secret identity
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Did anyone tell YOU that this joke never gets old? Dweeb.
Correct me if I'm wrong, but isn't this similar to how DeCSS got started (the programmers making a mistake in the code, that is).
I seem to recall it was reverse engineering Xing's dvd player libraries that resulted in the release of a DVD decryption key.
[+] mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw, haha, virus, pwned (tagging beta)
Who tagged this article with the password? I find the thought of someone using the password in the tagging system to look for this and related articles to be absurdly hilarious.
I paid for that same password! You can't just publish that since it is unfair to the rest of us who dutifuly did what we were told to do to get our data back :(
The real trick to any great ransom is not the actual kidnapping of the hostage its how to do the exchange without getting caught. Does anyone know what mechanism he planned to use in order to not get caught?
I'll feel stupid if the answer has already added to the discussion but truthfully as I began reading most of the discussion was on the actual password.
May be I am wrong, but I thought the Digital Millennium Copyright Act prohibited breaking any encryption and made it a crime to "attempt to circumvent protection". The anti-virus people reverse engineered the virus code, decompiled it, probably ran it under SoftICE and published the password for the whole world to see. Can the author of the virus sue these anti-virus people under DMCA for causing "irreparable financial harm"? And hold slashdot as an accomplice for aiding and abetting the dissemination of the cracking key?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
not if they were VERY small children.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Your .sig prompts the question: Wouldn't being Rediculous require the object to have been diculous 1st?
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
It's just rot13 of "All your documents are belong to us..."
----------------------------------- My Other Sig Is Hilarious -----------------------------------
The CIA won't have a problem taking down an online pharmacy or two, they really hate it when people interfere with their drug trade anyway.
That's my pin number! Excuse me while I change my luggage combination, too.
Well, there's spam egg sausage and spam, that's not got much spam in it.
When confronted with this at a press conference, mr Adams said "no one makes jokes in base 13". It is a coincidence.
(or so i've heard)
"he, who has quotes in his signature, is a douche" - unknown.
Why does this need code analysis? All it takes is two user's who paid the ransom comparing notes to notice that everybody has the same password to unlock...
Simple. Transfer the money to the Bank/Account that's on your screen. Actually I don't think it's too hard for a russian to open an account for foreign currency at a Moscow bank using false id and I don't think other than the tax paramilitia they have in russia would really be interested in what they do with it (unless they're running short of Kulaks in the camps).
In order to take care of this matter you would travel in person to Moscow. Since you haven't prepared for such a "mission" and are on your own you would first have to get an firearm or two. The best thing to do would be to run over over russian police officers with a stolen car in a rural setting. This is under the assumption that even when those two police men go missing it will be some time before they're found and before they start in on road blocks. I suppose this sounds hazardous as can be for a start but I don't think purchasing firearms as a foreigner from local crime you don't know is much safer than taking the police firearms. (If they catch you I don't know how many years of harsh labor camps you get for this before they execute you). Armed, you would then start accosting employees of the bank. If threats and intimidation don't give you the information then the next thing to do is to abduct the children of bank employees. Like they say in the songs, "The Russians love their children too" so that will most likely get you the information you need. Now you have the assumed name and a photocopy of the id they used to open the account and you've gotten a pretty unsharp surveillance video tape of the guy who opened the account. You travel to the russian backwater the cash withdrawals are made at. With luck they withdraw money regularily from a certain ATM at a certain time. You don't dare loiter near the ATM machines and hope that the same piece of shit comes by that opened the account because it just might be that the bank people you threatened and abducted the children from warned either them and/or told the russian police. Maybe you will hang on to a child hostage to make sure but that adds complications. If you strike it lucky then you have someone to throw into the back of the van you stole a day ago two hundred miles from X-Gorod and torture him with boiling hot water coming from a portable water boiler plugged into the dashboard. Let's say he breaks when you tell him the next portion of water goes into his eyes and you will blind him. He tells you about Dmitri, Petr, Pavel and Alex. You execute three people that night still not sure whether the guy you have tied up in the van was lying to you. Surely enough Alex's hardrive has an odd file on it under c:\rawodat\virus.asm. You peruse it while Alex is cowering in the corner with two broken thigh bones and one broken elbow parts of the bone have broken through the skin. You take a closer look at the source because Alex in this state is not going to get up and run and yes, this is exactly the piece of crap that encrypted my porn collection. You look at Alex and hear his exhausted faint mewls under the gag and his eyes begs you to let him live. You shoot him point blank into the face.
Basically this is what you would have to go through as an American who doesn't know his way around in Russia to get the encryption key and get "justice served". They know that too which is they do it outright in the open.
If you enter the password and then press DELETE, you will get warped into the Internet and become a Freakzoid!!
splunge (n) -- A good idea.. but it could be lousy... and I'm not being indecisive!
Just a quick question to the slashdot readers.
Who keeps a whole bunch of files in their my-documents folder anyway?
Can't we all just get along
If a password has 38 characters, it also has 30 characters. Duh.
Also, this post has 5 words.
Would you trust the integrity of the files once you got them back? Kinda stupid to trust data that's been under the control of a malicious virus writer.
I take it this is the first person to report it, rather than the first person to actually be stung and pay up?
Also no mention of the virus writer having his door kicked down yet? Yet this has been known about for one month now. Seems a little slow given they can trace where the money is going...
gone fishing...
wow.....
that's fucked up
The virus author gets paid by the pharmacies to do a virus ad campaign. Victims pay money to the pharmacies. They tell the virus author someone has paid up, author releases the key to them.
No money goes directly from victim to virus author.
AFAIK, the virus doesn't completely trash the actual files on the disk. If it doesn't, a file recovery program would be a simple way to get the files back.
The files aren't encrypted at all.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Keep your My Documents in The Other My Documents folder.
qz
It looks like I just removed my account from XP and created it again, and got all my documents from the backup disk I create weekly (okay, monthly usually). That takes all the fun out of entering "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw" into a little dialog box that promises to give me back my docs if I buy stuff from online pharmacies.
Never mind, that's nothing. I have a diploma from the the School of the Americas.
my suggestion would be attempting a joke that's not a variation of one told twice already.
You better watch out, there may be dogs about . .
You know why computer programmers get Thanksgiving and Christmas confused? Cuz OCT 31 == DEC 25.
Click here or here.
Only problem with that strategy is that after he gives out the private key to one person... well, it isn't so private anymore (and presumably "extorting one person" is not the entirety of the business model). You need to include a step where the virus phones home for a *unique* public key, then encrypt with that, and have it tied to a *unique* private key.
Help poke pirates in the eyepatch, arr.
You forgot the part where Alex's Chechen uncle goes all vendetta on you, your family and everybody you've emailed in the last 8 months.
BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
mf2lro8sw03ufvnsq034jfowr18f3cszc20vm does not contain 30 digits. Characters perhaps, digits, no. It astounds me that such mistakes can actually make it on the front page of Slashdot.
BeauHD. Worst editor since kdawson.
Yay... so now all the Windows users go back to being held to ransom by Norton, McAffee et al.
1) Register a brand new internet store. ...
2)
3) Profit!
Visit Snowflake Showers
I thought you might want to correct that Sig, it's "Stasi" (abr. "Staats-Sicherheit", roughly "State-Security") :-)
My faith in Slashdotters restored.
From lurhq:
"Your computer caught our software while browsing illegal porn pages, all your documents, text files, databases in the folder My Documents was archived with long password."
Does anyone else find this funny? =P
I always knew that there was a good reason that I never used ANY of the "My" folders.....
I'm waiting for WOOT to offer an Illudium Q-36 Explosive Space Modulator. I need one.
I miss it from my VAX days.
s/Thanksgiving/Halloween/
Click here or here.